test_security_server_audit.py
python
sha256:34035d72cef530c1ab9d6a6f53be18d803dde705fc3157617d70352a96d0747b
Merge branch 'fix/wire-push-external-parent-manifest' into dev
Human
8 days ago
| 1 | """Phase 7 — MuseHub server security audit. |
| 2 | |
| 3 | Invariants |
| 4 | ---------- |
| 5 | The MuseHub server must NEVER touch Ed25519 private key material. |
| 6 | All authentication is challenge-response: the server holds only public keys |
| 7 | and verifies signatures produced by the client. |
| 8 | |
| 9 | P7-1 crypto/keys.py exports no private key loading or generation functions. |
| 10 | P7-2 musehub_auth_models.MusehubAuthKey stores only public_key_b64 and |
| 11 | fingerprint — no private_key, key_path, or mnemonic columns. |
| 12 | P7-3 request_signing._verify_msign reads public keys from DB; it never calls |
| 13 | any private-key function. |
| 14 | P7-4 No source file under musehub/ (excluding deploy/, docs/, tests/) contains |
| 15 | the string "private_key" in a live code path — only in comments/docstrings. |
| 16 | P7-5 musehub/mcp/prompts.py contains no stale reference to ~/.muse/keys/*.pem. |
| 17 | P7-6 musehub/auth/request_signing.py does not import any PEM-reading symbol. |
| 18 | """ |
| 19 | |
| 20 | from __future__ import annotations |
| 21 | |
| 22 | import ast |
| 23 | import pathlib |
| 24 | |
| 25 | |
| 26 | MUSEHUB_ROOT = pathlib.Path(__file__).parent.parent / "musehub" |
| 27 | |
| 28 | |
| 29 | # --------------------------------------------------------------------------- |
| 30 | # P7-1 — crypto/keys.py exports no private-key functions |
| 31 | # --------------------------------------------------------------------------- |
| 32 | |
| 33 | |
| 34 | class TestCryptoKeysPublicOnly: |
| 35 | def test_P7_1_no_private_key_generation(self) -> None: |
| 36 | """crypto/keys.py must not export any private-key generation or loading.""" |
| 37 | keys_src = (MUSEHUB_ROOT / "crypto" / "keys.py").read_text() |
| 38 | forbidden = [ |
| 39 | "generate_private_key", |
| 40 | "Ed25519PrivateKey", |
| 41 | "from_private_bytes", |
| 42 | "load_pem_private_key", |
| 43 | "load_der_private_key", |
| 44 | ] |
| 45 | for symbol in forbidden: |
| 46 | assert symbol not in keys_src, ( |
| 47 | f"crypto/keys.py must not reference '{symbol}' — " |
| 48 | "server never handles private key material" |
| 49 | ) |
| 50 | |
| 51 | def test_P7_1b_verify_signature_uses_public_key_only(self) -> None: |
| 52 | """verify_signature must accept public_key_bytes, not private_key_bytes.""" |
| 53 | from musehub.crypto.keys import verify_signature |
| 54 | import inspect |
| 55 | sig = inspect.signature(verify_signature) |
| 56 | param_names = set(sig.parameters) |
| 57 | assert "public_key_bytes" in param_names |
| 58 | assert "private_key_bytes" not in param_names |
| 59 | assert "private_key" not in param_names |
| 60 | |
| 61 | |
| 62 | # --------------------------------------------------------------------------- |
| 63 | # P7-2 — DB model stores only public key data |
| 64 | # --------------------------------------------------------------------------- |
| 65 | |
| 66 | |
| 67 | class TestAuthKeyModelPublicOnly: |
| 68 | def test_P7_2_no_private_key_columns(self) -> None: |
| 69 | """MusehubAuthKey must have no private-key, key_path, or mnemonic columns.""" |
| 70 | from musehub.db.musehub_auth_models import MusehubAuthKey |
| 71 | from sqlalchemy import inspect as sa_inspect |
| 72 | |
| 73 | mapper = sa_inspect(MusehubAuthKey) |
| 74 | column_names = {col.key for col in mapper.mapper.columns} |
| 75 | |
| 76 | forbidden_columns = {"private_key", "key_path", "mnemonic", "secret", "pem"} |
| 77 | overlap = forbidden_columns & column_names |
| 78 | assert not overlap, ( |
| 79 | f"MusehubAuthKey must not have private-key columns; found: {overlap}" |
| 80 | ) |
| 81 | |
| 82 | def test_P7_2b_public_key_b64_column_exists(self) -> None: |
| 83 | """MusehubAuthKey must have public_key_b64 and fingerprint columns.""" |
| 84 | from musehub.db.musehub_auth_models import MusehubAuthKey |
| 85 | from sqlalchemy import inspect as sa_inspect |
| 86 | |
| 87 | mapper = sa_inspect(MusehubAuthKey) |
| 88 | column_names = {col.key for col in mapper.mapper.columns} |
| 89 | |
| 90 | assert "public_key_b64" in column_names |
| 91 | assert "fingerprint" in column_names |
| 92 | |
| 93 | |
| 94 | # --------------------------------------------------------------------------- |
| 95 | # P7-3 — request_signing imports no private-key symbols |
| 96 | # --------------------------------------------------------------------------- |
| 97 | |
| 98 | |
| 99 | class TestRequestSigningImports: |
| 100 | def test_P7_3_no_private_key_imports(self) -> None: |
| 101 | """request_signing.py must not import any private-key symbol.""" |
| 102 | src = (MUSEHUB_ROOT / "auth" / "request_signing.py").read_text() |
| 103 | forbidden_imports = [ |
| 104 | "Ed25519PrivateKey", |
| 105 | "load_pem_private_key", |
| 106 | "load_der_private_key", |
| 107 | "generate_private_key", |
| 108 | "load_private_key", |
| 109 | ] |
| 110 | for symbol in forbidden_imports: |
| 111 | assert symbol not in src, ( |
| 112 | f"request_signing.py must not import '{symbol}' — " |
| 113 | "server only verifies signatures, never signs" |
| 114 | ) |
| 115 | |
| 116 | def test_P7_6_no_pem_reader_imports(self) -> None: |
| 117 | """request_signing.py must not import any PEM-reading function.""" |
| 118 | src = (MUSEHUB_ROOT / "auth" / "request_signing.py").read_text() |
| 119 | assert ".pem" not in src |
| 120 | assert "load_pem" not in src |
| 121 | |
| 122 | |
| 123 | # --------------------------------------------------------------------------- |
| 124 | # P7-4 — No live private-key code paths in musehub/ application source |
| 125 | # --------------------------------------------------------------------------- |
| 126 | |
| 127 | |
| 128 | class TestNoPrivateKeyInAppCode: |
| 129 | _SKIP_DIRS = {"deploy", "tests", "templates"} |
| 130 | _SKIP_EXTS = {".md", ".html", ".sh", ".conf", ".txt", ".toml", ".json"} |
| 131 | |
| 132 | def _app_py_files(self) -> list[pathlib.Path]: |
| 133 | files = [] |
| 134 | for p in MUSEHUB_ROOT.rglob("*.py"): |
| 135 | if any(part in self._SKIP_DIRS for part in p.parts): |
| 136 | continue |
| 137 | files.append(p) |
| 138 | return files |
| 139 | |
| 140 | def test_P7_4_no_ed25519_private_key_in_app_code(self) -> None: |
| 141 | """No application .py file may instantiate or import Ed25519PrivateKey.""" |
| 142 | violations: list[str] = [] |
| 143 | for path in self._app_py_files(): |
| 144 | src = path.read_text() |
| 145 | tree = ast.parse(src, filename=str(path)) |
| 146 | for node in ast.walk(tree): |
| 147 | # Check string literals and names — not comments or docstrings |
| 148 | if isinstance(node, ast.Name) and node.id == "Ed25519PrivateKey": |
| 149 | violations.append(f"{path.relative_to(MUSEHUB_ROOT.parent)}:{node.lineno}") |
| 150 | elif isinstance(node, ast.Attribute) and node.attr == "Ed25519PrivateKey": |
| 151 | violations.append(f"{path.relative_to(MUSEHUB_ROOT.parent)}:{node.lineno}") |
| 152 | assert not violations, ( |
| 153 | f"Ed25519PrivateKey referenced in musehub application code:\n{'\n'.join(violations)}" |
| 154 | ) |
| 155 | |
| 156 | def test_P7_4b_no_load_private_key_calls(self) -> None: |
| 157 | """No application .py file may call load_private_key or load_pem_private_key.""" |
| 158 | violations: list[str] = [] |
| 159 | for path in self._app_py_files(): |
| 160 | src = path.read_text() |
| 161 | for symbol in ("load_private_key", "load_pem_private_key", "load_der_private_key"): |
| 162 | if symbol in src: |
| 163 | violations.append(f"{path.relative_to(MUSEHUB_ROOT.parent)}: {symbol}") |
| 164 | assert not violations, ( |
| 165 | f"Private key loading found in musehub application code:\n{'\n'.join(violations)}" |
| 166 | ) |
| 167 | |
| 168 | |
| 169 | # --------------------------------------------------------------------------- |
| 170 | # P7-5 — No stale ~/.muse/keys/*.pem reference in MCP prompts |
| 171 | # --------------------------------------------------------------------------- |
| 172 | |
| 173 | |
| 174 | class TestNoStalePemReferences: |
| 175 | def test_P7_5_mcp_prompts_no_pem_path(self) -> None: |
| 176 | """musehub/mcp/prompts.py must not reference ~/.muse/keys/*.pem (stale architecture).""" |
| 177 | src = (MUSEHUB_ROOT / "mcp" / "prompts.py").read_text() |
| 178 | assert "~/.muse/keys/" not in src, ( |
| 179 | "musehub/mcp/prompts.py contains a stale reference to ~/.muse/keys/ — " |
| 180 | "keys are now derived from the OS-keychain mnemonic, no PEM files" |
| 181 | ) |
| 182 | |
| 183 | def test_P7_5b_identity_template_no_key_path_column(self) -> None: |
| 184 | """The identity docs template must not describe key_path as a valid field.""" |
| 185 | template = ( |
| 186 | MUSEHUB_ROOT.parent / "musehub" / "templates" / "musehub" / "pages" |
| 187 | / "docs_muse_identity.html" |
| 188 | ) |
| 189 | if not template.exists(): |
| 190 | return # template may not exist in all environments |
| 191 | src = template.read_text() |
| 192 | assert "key_path" not in src, ( |
| 193 | "docs_muse_identity.html still describes key_path — " |
| 194 | "this field was removed in Phase 3 of the key-material security migration" |
| 195 | ) |
| 196 | assert "/.muse/keys/" not in src, ( |
| 197 | "docs_muse_identity.html still references ~/.muse/keys/ PEM paths" |
| 198 | ) |
File History
14 commits
sha256:34035d72cef530c1ab9d6a6f53be18d803dde705fc3157617d70352a96d0747b
Merge branch 'fix/wire-push-external-parent-manifest' into dev
Human
8 days ago
sha256:fc04e4cae9e1774d6a21b65c45daeed0e6787eb581d13aa1b03bfe9384a34226
Merge branch 'fix/two-column-scroll-layout' into dev
Human
8 days ago
sha256:408916fc5973ba59c6e4eebaa80ebdcc801c0a63205651e25009d11548f79454
chore: bump version to 0.2.0.dev2 — nightly.2, matching muse
Sonnet 4.6
patch
11 days ago
sha256:d035733f21ccff27735fddebfbbe0ed24565a32a22db8de5885402262671ecd2
chore: bump version to 0.2.0rc15 for musehub#113 fix release
Sonnet 4.6
patch
14 days ago
sha256:0032d6cfa33bc3c8367436ad768e7dd0e339b4332153160247da8266cb5fa352
Merge branch 'task/version-tags-phase3-server' into dev
Human
17 days ago
sha256:4669620efda9ff41c55bdefd1f7bfe1c239d468428744c84ead9957e5a003a53
merge: rescue snapshot-recovery hardening (c00aa21d) into d…
Opus 4.8
minor
⚠
29 days ago
sha256:a59da49c4611b970fc4b6ae48678ce4943261c213a07ddbd73ce9201df869b4a
fix: remove false-positive proposal_comments index drop fro…
Sonnet 4.6
patch
33 days ago
sha256:0a240d6dbff234f07d98a28a4a9a68db702f3f9ff9260196f24219bdb1c0b6f3
feat: render markdown mists as HTML with heading anchor links
Sonnet 4.6
patch
34 days ago
sha256:24a7d47486ebc4ebd1832830580e177ec6f877b48dced8c000e198cdec4ce9d6
Merge 'task/bump-version-rc12' into 'dev' — proposal: Bump …
Human
35 days ago
sha256:b9ff931d147e0114a1f17060f415b89ed551c170a91ff226c70437aa5c85f9ee
Merge 'task/bump-version-rc12' into 'dev' — proposal: Bump …
Human
35 days ago
sha256:d1122d21e73471879b460037b22c0b50fded7c423444a176f248428f75dac39c
Merge 'task/fix-issue-pagination-cursor' into 'dev' — propo…
Human
35 days ago
sha256:01e18975e73d2b3cd5b6db7929c895bef9aa6e0d4391dc5b2adfc548b41318dd
Merge 'feat/adding-debug-logs-to-staging' into 'dev' — prop…
Human
35 days ago
sha256:6b1949fc2797ca4c1936a637a4cbfec828ef56cf52398a2e74ca3c4f494e728f
fix: use wire_bytes not mpack_bytes_raw in compute_object_b…
Sonnet 4.6
patch
48 days ago
sha256:b99f2455dc346966d040133f5203297e6e3ef5803a93728a2c30568d0a0f7583
rename: delta_add → delta_upsert across wire format, models…
Sonnet 4.6
patch
50 days ago